image

Backups in the web directory

Identify publicly accessible backups in the webroot

Background

When work is done on a website, backups of the website or database are usually created. These are required, for example, when a copy of a website is to be created for a stage environment. Backups are also required when migrating a web application to another hosting provider.

These backups usually contain very sensitive data and should therefore not fall into the hands of strangers. Depending on the data the backup contains, different information can be read out. For example, contact data and customer orders can be derived from a backup of the database. Encrypted passwords of customers and administrators can also be found in the database. Although these cannot be used directly, they do provide a target for attack if they are worthwhile.

If the file system can be stolen from a backup instead of the database, there is a risk especially with regard to the configuration files. These files usually contain database access data that can be used to gain access to the database administration.

How are backups read by attackers?

To find such backups, attackers use the so-called brute force method to test corresponding files. In this process, different, frequently used file names are tried in order to find corresponding backups.

Tips for users

It is recommended to always create and store backups and other temporary files outside the webroot. This actively prevents unauthorized third parties from finding and downloading backups.

For online stores in live operation, it should therefore be checked whether old backups still exist in the file system. It is recommended to remove these backups.

Additional security at maxcluster

Our security partner Sansec has conducted a backup analysis of over 2,000 installed store instances. Backups were found in the file system of twelve percent of the stores tested, which could be a worthwhile target for attackers.

The tool eComscan developed by Sansec has recently been able to find such files.

At maxcluster we use eComscan for the malware scan of our managed feature ShopSecurity. It is therefore also possible to use ShopSecurity to scan for backups accidentally stored in the webroot. Such a scan is available to all our customers free of charge and can be run at any time through our Managed Center. We therefore recommend to run such scans on a regular basis.

Starting with our service package Managed Business we also offer the daily execution of automatic ShopSecurity scans at no additional cost. If you have any questions please contact us as usual at support@maxcluster.de or by phone at +49 5251 4141 30.

Do you need assistance?

favicon
maxcluster GmbH
24 / 7 Customer support
Telephone:
+49 5251 414130
E-Mail:
support@maxcluster.de
logo

Do you need assistance?

maxcluster GmbH
24 / 7 Customer support
Telephone:
+49 5251 414130
E-Mail:
support@maxcluster.de
image
image